Home Explore Help
Register Sign In
wareck
/
krackattacks
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

EAP-TTLS: Disable CHAP, MSCHAP, and MSCHAPV2 in CONFIG_FIPS=y builds

FIPS builds do not include support for MD4/MD5, so disable
EAP-TTLS/CHAP, MSCHAP, and MSCHAPV2 when CONFIG_FIPS=y is used.

Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen 9 years ago
parent
125bbef0e7
commit
835c89a16b
3 changed files with 23 additions and 2 deletions
Split View Show Diff Stats
  1. 17 0
      src/eap_peer/eap_ttls.c
  2. 3 1
      wpa_supplicant/Android.mk
  3. 3 1
      wpa_supplicant/Makefile

+ 17 - 0
src/eap_peer/eap_ttls.c
View File 

@@ -254,11 +254,13 @@ static int eap_ttls_v0_derive_key(struct eap_sm *sm,
 
 }
 
 
 
+#ifndef CONFIG_FIPS
 
 static u8 * eap_ttls_implicit_challenge(struct eap_sm *sm,
 
 					struct eap_ttls_data *data, size_t len)
 
 {
 
 	return eap_peer_tls_derive_key(sm, &data->ssl, "ttls challenge", len);
 
 }
 
+#endif /* CONFIG_FIPS */
 
 
 
 static void eap_ttls_phase2_select_eap_method(struct eap_ttls_data *data,
 
@@ -429,6 +431,10 @@ static int eap_ttls_phase2_request_mschapv2(struct eap_sm *sm,
 
 					    struct eap_method_ret *ret,
 
 					    struct wpabuf **resp)
 
 {
 
+#ifdef CONFIG_FIPS
 
+	wpa_printf(MSG_ERROR, "EAP-TTLS: MSCHAPV2 not supported in FIPS build");
 
+	return -1;
 
+#else /* CONFIG_FIPS */
 
 #ifdef EAP_MSCHAPv2
 
 	struct wpabuf *msg;
 
 	u8 *buf, *pos, *challenge, *peer_challenge;
 
@@ -511,6 +517,7 @@ static int eap_ttls_phase2_request_mschapv2(struct eap_sm *sm,
 
 	wpa_printf(MSG_ERROR, "EAP-TTLS: MSCHAPv2 not included in the build");
 
 	return -1;
 
 #endif /* EAP_MSCHAPv2 */
 
+#endif /* CONFIG_FIPS */
 
 }
 
 
 
@@ -519,6 +526,10 @@ static int eap_ttls_phase2_request_mschap(struct eap_sm *sm,
 
 					  struct eap_method_ret *ret,
 
 					  struct wpabuf **resp)
 
 {
 
+#ifdef CONFIG_FIPS
 
+	wpa_printf(MSG_ERROR, "EAP-TTLS: MSCHAP not supported in FIPS build");
 
+	return -1;
 
+#else /* CONFIG_FIPS */
 
 	struct wpabuf *msg;
 
 	u8 *buf, *pos, *challenge;
 
 	const u8 *identity, *password;
 
@@ -593,6 +604,7 @@ static int eap_ttls_phase2_request_mschap(struct eap_sm *sm,
 
 	ret->decision = DECISION_COND_SUCC;
 
 
 	return 0;
 
+#endif /* CONFIG_FIPS */
 
 }
 
 
 
@@ -655,6 +667,10 @@ static int eap_ttls_phase2_request_chap(struct eap_sm *sm,
 
 					struct eap_method_ret *ret,
 
 					struct wpabuf **resp)
 
 {
 
+#ifdef CONFIG_FIPS
 
+	wpa_printf(MSG_ERROR, "EAP-TTLS: CHAP not supported in FIPS build");
 
+	return -1;
 
+#else /* CONFIG_FIPS */
 
 	struct wpabuf *msg;
 
 	u8 *buf, *pos, *challenge;
 
 	const u8 *identity, *password;
 
@@ -723,6 +739,7 @@ static int eap_ttls_phase2_request_chap(struct eap_sm *sm,
 
 	ret->decision = DECISION_COND_SUCC;
 
 
 	return 0;
 
+#endif /* CONFIG_FIPS */
 
 }

+ 3 - 1
wpa_supplicant/Android.mk
View File 

@@ -428,9 +428,11 @@ L_CFLAGS += -DEAP_TTLS
 
 OBJS += src/eap_peer/eap_ttls.c
 
 OBJS_h += src/eap_server/eap_server_ttls.c
 
 endif
 
-MS_FUNCS=y
 
 TLS_FUNCS=y
 
+ifndef CONFIG_FIPS
 
+MS_FUNCS=y
 
 CHAP=y
 
+endif
 
 CONFIG_IEEE8021X_EAPOL=y
 
 endif

+ 3 - 1
wpa_supplicant/Makefile
View File 

@@ -425,9 +425,11 @@ CFLAGS += -DEAP_TTLS
 
 OBJS += ../src/eap_peer/eap_ttls.o
 
 OBJS_h += ../src/eap_server/eap_server_ttls.o
 
 endif
 
-MS_FUNCS=y
 
 TLS_FUNCS=y
 
+ifndef CONFIG_FIPS
 
+MS_FUNCS=y
 
 CHAP=y
 
+endif
 
 CONFIG_IEEE8021X_EAPOL=y
 
 endif